1 存储过程
创建用于存储数据元的桶,可以选择数据元所驻留的地区(目前来说,选择东京、新加坡会快些,美国本土更便宜),上传数据元到桶,进行持久化存储。另外,可以对上传的数据元及桶进行访问控制、加密等设置。每个AWS账户可以创建多个用户,用户可以对所拥有的数据进行上述权限控制。
目前可存储的你内容有:
(1)多媒体、音乐、图片
(2)视频监控文件
(3)医疗系统的档案、资料
(4)静态网站资料
2 管理
通过AWS管理控制台对数据进行控制。AWS控制台类似于EC2的web控制界面,或者通过API接口(Java、.Net)、REST接口编程实现。
3 S3功能简述
(1)创建桶、删除桶
(2)写入、读取、删除数据元,每个数据元的大小从1byte到5Tbyte
(3)根据用户密钥,查询桶信息及数据元信息
(4)选择数据所存储的地区,东京 or 新加坡 or 其他
(5)数据元的权限设置,可以向指定的用户开放,加密等
(6)使用基于REST和SOAP接口,提供JAVA,net的SDK
(7)便于添加其他功能,默认的下载协议是HTTP
(8)提供AWS管理平台,对数据进行管理
(9)在进行存储或者检索数据时,对数据进行校验和计算,验证是否损坏
(10)去冗余存储,用户可以自定义一些文件,比如缩略图、转码媒体等,使得这些文件的存储冗余副本数目低于标准的冗余副本数目
(11)数据源的访问日志记录,可用于审核等
(12)对数据元提供版本控制功能,用户可以恢复到之前的版本
4 访问控制机制
S3的访问控制机制,主要有四种。
(1) Identity and Access Management (IAM) 策略:
IAM让拥有多名员工的组织能够在一个AWS账户下创建和管理多个用户,通过IAM策略,可以授予指定的用户对桶和数据元的细化控制。
(2)访问控制列表(ACL):
选择性的授予对个别数据元或者桶的特定权限。
(3)桶策略:
桶策略可以添加或者拒绝对单一桶内的部分或者所有数据元的权限。
(4)查询字符串身份验证:
根据此项的验证,能够通过仅在限定时间段内有效的URL共享数据元。
4.1 使用IAM策略
IAM策略就是AWS Identity and Access Management。使用此策略可以利用AWS账户创建多个用户,给这些用户分配证书、管理其权限。主要是针对用户的。类似的还有ACL和桶策略。下面是三者的对比表:
通过ACL,可以赋予其他的AWS账户相关权限来访问本账户所拥有的资源,通过IAM,只能赋予本AWS账户下创建的用户相关的访问权限。控制级别不一样。三者之间可以相互搭配,来组合安全策略。三者之间,在某些条件下也是等价的,比如:
在策略中,需要对objec 进行相关的action操作,就像上图中的PutObject一样,action列表如下。
Actions Related to Objects
s3:GetObject
(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject
, and SOAPGetObjectExtended
)s3:GetObjectVersion
(covers REST GET Object, REST HEAD Object, REST GET Object torrent, SOAPGetObject
, and SOAPGetObjectExtended
)s3:PutObject
(covers the REST PUT Object, REST POST Object, REST Initiate Multipart Upload, REST Upload Part, REST Complete Multipart Upload, SOAPPutObject
, and SOAPPutObjectInline
)s3:GetObjectAcl
s3:GetObjectVersionAcl
s3:PutObjectAcl
s3:PutObjectVersionAcl
s3:DeleteObject
s3:DeleteObjectVersion
s3:ListMultipartUploadParts
s3:AbortMultipartUpload
s3:GetObjectTorrent
s3:GetObjectVersionTorrent
s3:RestoreObject
Actions Related to Buckets
- s3:CreateBucket
- s3:DeleteBucket
- s3:ListBucket
- s3:ListBucketVersions
- s3:ListAllMyBuckets (covers REST GET Service and SOAP ListAllMyBuckets)
- s3:ListBucketMultipartUploads
Actions Related to Bucket Sub-Resources
- s3:GetBucketAcl
- s3:PutBucketAcl
- s3:GetBucketCORS
- s3:PutBucketCORS
- s3:GetBucketVersioning
- s3:PutBucketVersioning
- s3:GetBucketRequestPayment
- s3:PutBucketRequestPayment
- s3:GetBucketLocation
- s3:GetBucketPolicy
- s3:DeleteBucketPolicy
- s3:PutBucketPolicy
- s3:GetBucketNotification
- s3:PutBucketNotification
- s3:GetBucketLogging
- s3:PutBucketLogging
- s3:GetBucketWebsite
- s3:PutBucketWebsite
- s3:DeleteBucketWebsite
- s3:GetLifecycleConfiguration
- s3:PutLifecycleConfiguration
同时,还有策略的Key值,可以根据策略的key来更加严格的控制资源。key值列表如下:
Action | Applicable Keys | Description |
---|---|---|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
The header that specifies the name of the source bucket and key name of the source object, separated by a slash (/). Used when copying an object. Example value: |
|
|
These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control . |
|
|
Allow the specific action only if Valid values: AES256 Example value: |
|
|
The header that specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. If copied, the metadata, except for the version ID, remains unchanged. Otherwise, all original metadata is replaced by the metadata you specify. Used when copying an object. Valid values: Example value: |
|
|
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control . |
|
|
|
The version ID of the object being retrieved. Example value: |
|
|
The version ID of the object ACL being retrieved. Example value: |
|
|
The version ID of the object ACL being PUT. Example value: |
|
The Amazon S3 canned ACL that is applied to the object. A canned ACL represents a predefined permission that can be applied to the object being PUT to Amazon S3. Valid values: Example value: |
|
|
These conditions relate to the ACL-specific request headers the action supports. You can add a condition in your bucket policy to deny or grant the action based on the presence of these headers headers with specific values. For more information about the API and the request headers, go to PUT Object acl. For an example policy that uses these condition keys, see Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control . |
|
|
|
The version ID of the object being deleted. |